An iCEBreaker-based hardware glitching thing
Break black-box hardware devices by messing with their clock or power feed.
Specifically, a glitch introduced at the right time can bypass individual instructions, which has interesting security implications.
Several of the blocks above are designed to have drop-in replacements. For example, the Detector module used to trigger glitching. This must detect a predictable and stable starting state in the target device. In some cases, perhaps it's enough to snoop an indicator LED. For other targets, perhaps an I2C bus must be sniffed to detect a specific message. Implement a new Detector module and connect it!
The Control block consists of a very simple state machine:
- Wait for the trigger signal, indicating the target is ready
- Start the delay countdown
- At the end of the delay, inject a glitch
- If a Success signal is detected, halt
- Alter the delay
- Reset the target device
- Start over
On Success, we've found a specific Delay value (counted in cycles) and a specific glitch mode which causes the target device to do what we want it to do.
A target device, running something sensitive. For example, computes some hash and checks its result against a fixed "proper" value.
Connections to the DESYNK board:
- TARGET_CLK which drives the target device
- TRIGGER which the target sets HIGH at a fixed time before the check
- SUCCESS which the target sets HIGH if the check is bypassed
- POWER which enables the power feed to the target device
- THROTTLE which grounds the power feed of the target device
Edit top.sv to modify the pin mapping and set various parameters. Eventually, the parameters specified here will be used to select which modules are active.
Injects a number of faster clock cycles on the target's clock input. The following figure shows three different
instances of the glitching module, injecting 1, 2 and 7 cycles respectively.
Triggered by a simple digital input signal. Set RISING_EDGE=1 to detect leading edge, or RISING_EDGE=0 to trigger on a falling edge.
This is all theoretical, since nothing is implemented
The USR button on the iCEBreaker resets the board. On boot, a normal 16MHz clock signal is generated without glitches, to allow for target reprogramming and such.
The top button starts glitching. The top LED indicates that glitching is underway.
Modular target control to reset the target
- Direct power control
- Reset pin on the target
Modular detector for TRIGGER and SUCCESS signals
- Signal pin
- UART snooping
Modular glitch mode:
- Single quick-cycle
- Skip cycle
- Multiple quick cycles
- Power glitches